Things are locked down and cleaned up and I've been going over the access logs and don't see any indication that the script kiddie got anything useful but from 3/30 through 4/2 he had a back door on the system that let him execute arbitrary php code.

There is nothing in the logs that shows he got around to doing anything useful or that he managed to grab the database but it would be safer if you assume that he managed to grab a full database dump which would have everyone's account name, email address and encrypted password.

It looks like MyBB salts the md5 hashes for the passwords so even with a full database dump it would be very unlikely that they would be able to crack the password (they would have to brute-force individual passwords since rainbow tables would be useless) but in an abundance of caution it wouldn't be a bad idea to change them (particularly if you use the same password elsewhere).

I will post a full timeline of events and hack details to my blog later this afternoon.

I take security as seriously as I can but with a constant stream of attacks every now and then the script kiddies get lucky.